KRACKKey Reinstallation Attack

KRACK is a vulnerability discovered by Mathy Vanhoef and published on October 16 2017 that allows anyone on the same network to read and change the internet data you transmit over Wi-Fi.

It affects all types of WPA2, the only Wi-Fi protection previously known to be secure, and the vulnerability works regardless of how strong your Wi-Fi password is.

KRACK is receiving a lot of attention from the press and experts in the security industry, and vendors are currently working on providing patches to devices that use Wi-Fi, such as computers, phones and access points.

Am I affected?

If you used Wi-Fi any time in the past, you were affected. This means that anyone with knowledge of this vulnerability in the past could have had access to your data transmitted using Wi-Fi, such as your username and password on websites, unless you were using a VPN.

The vendors mentioned in the paper were notified about the vulnerability around 14 July 2017, and a broader notification to all vendors was sent on 28 August 2017.

In particular, exploiting this on Android phones is very simple due to an additional bug. Until an update is published by your Android manufacturer, it's safe to assume your Wi-Fi traffic is not safe. Unfortunately some Android manufacturers can take months to provide an update, even of serious security fixes.

The researcher also mentions "attacking macOS (..) is significantly easier than discussed in the paper", so although details about this macOS attack are not known yet, it's safe to assume that your macOS Wi-Fi can also be easily read.

What should I do?

The best and simplest way to protect your internet connection over Wi-Fi currently is by using a VPN. Even if you connect to public Wi-Fi, the VPN will always guarantee that any data you send over Wi-Fi is private and secure. If you were using a VPN in the past, it means your data was safe even before this bug was well known.

If you aren’t using a VPN, websites you visit might protect your data if they are configured to always use https. Even if your website uses https, unless it's configured to always use it, there are ways that anyone exploiting this Wi-Fi vulnerability can force your computer or phone to not use https when they're eavesdropping so they can read your data. This configuration to always use https, called HSTS, is unfortunately not very widely used, and not very easily verifiable by the average user.

Also unless you are using a VPN, privacy of data from apps you use will depend solely on the protection built in by the app creator. Unfortunately for the average user, there's no way to verify if your data is being securely transmitted or not.

How do I use a VPN?

If you are a customer, all your data has been fully protected from KRACK even when using a vulnerable phone or computer in the past. Your data was never visible to eavesdroppers when you were on Wi-Fi, be it public or private.

If you don’t have an account, sign up below and you’ll be protected from KRACK in just a few minutes.

YOU ARE ABOUT TO NAVIGATE AWAY FROM THE PRIVATE INTERNET ACCESS WEBSITE. The privacy policy of Private Internet Access is separate from that of the website you are navigating to and may ask for different or additional information from you. Please review the disclosure on the third-party website for detailed information regarding their privacy policy. If you do not agree with the Privacy Policy on the third-party’s website, you may return to the original payment page.

* The offer is valid for new customers only

* any discounts reflect a reduction based on the current monthly service pricing at $6.95 per month

Private Internet Access is the leading VPN Service provider specializing in secure, encrypted VPN tunnels which create several layers of privacy and security providing you safety on the internet. Our service is backed by multiple gateways worldwide with access in 28+ countries, 44+ regions.